IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [git]

A popular distributed revision control system. Built for speed, data integrity and with support for distributed, non-linear workflows.

100 questions
4
votes
2 answers

Deleted commit still visible from GitLab web interface, exposing sensitive data

Some weeks ago I accidentally committed a configuration file containing some passwords and I pushed it on a GitLab remote managed by my company. After that I used BFG Repo-Cleaner to remove the passwords from the history. After the clean I…
xonya
  • 143
  • 5
4
votes
2 answers

Can a ransomware "destroy" git remote repositories?

Instead of a backup, i store my important documents (my resumee, certificates and such) in a git repository - which is then pushed to sth like github. My reasons for using git instead of an backup are: My important documents are anyways inside…
toogley
  • 385
  • 2
  • 12
4
votes
3 answers

What can be done to secure passwords that might be stored in plain text or hashed inside a git repository?

I've heard a lot lately about coders being really bad at security. For one they store passwords and sensitive information inside Git repos which are often not secured well enough. Someone then comes along and makes a copy of the repo, and in turn…
leeand00
  • 1,297
  • 1
  • 13
  • 21
4
votes
3 answers

Is it safe storing revision history on production servers?

Currently we use at my workplace svn export . This takes a long time and I have been playing with the idea to keep the revision history on the production server so we can simply fetch the updates. In practice I was thinking to have a…
Johan Hanssen Seferidis
  • 247
  • 1
  • 5
3
votes
2 answers

How easy is it to hide adding a file to a git repository

Here's the scenario... I have a git repository on a server that may have been compromised. My development team say that they can trust the files in the directory that houses the git repository because all commits (diffs) and new files being added…
David Scholefield
  • 1,824
  • 12
  • 21
3
votes
1 answer

Git Signing commits in a private repo

Linus mentioned in 2009 that "Signing each commit is totally stupid". Has the common view evolved on this subject since then ? Doesn't it protect against someone usurping your identity to commit something into your git repo ? Thanks
Gaunt
  • 31
  • 1
3
votes
1 answer

Are there any negative consequences if you change your ssh config for a host with `UpdateHostKeys no`?

I recently came across a question on stackoverflow.com regarding gitlab.com and ssh config. The solution apparently is to update your ssh config with the following: Host gitlab.com UpdateHostKeys no Unfortunately the author of the top/only…
Trevor Boyd Smith
  • 236
  • 1
  • 7
3
votes
1 answer

How secure is a git commit hash (sha1)?

Consider the following scenario: Someone, using a good version of git, issues a git clone followed by a git checkout of some commit hash (the 40 character hexadecimal). To clarify, assume Bob does the following on a secure machine: $ git clone…
Carlo Wood
  • 131
  • 5
3
votes
1 answer

Providing access to Git repo behind a Firewall using Certs/Keys for Authentication

We have a Git repo sitting behind a firewall. As I see it, there are two ways of authenticating/accessing the Git repo: Add a Reverse HTTP Proxy in the DMZ that communicates with the Git repo. This will allow the user to access Git over HTTPS. Poke…
Saqib Ali
  • 213
  • 1
  • 8
3
votes
1 answer

What information in sent in the clear when git redirects from HTTP to HTTPS?

If a user tries git commands pointed at an http://gitlab.example.com address (and they have not connected to this domain before), the gitlab.example.com server redirects (or rewrites) to https://gitlab.example.com (note the s) and requires a correct…
jtd
  • 193
  • 5
3
votes
0 answers

Why does Linux Torvalds not sign his Git commits?

Why does Linux Torvalds not sign his Git commits (with GPG)? Recent example: https://github.com/torvalds/linux/commit/566cf877a1fcb6d6dc0126b076aad062054c2637 Pretty scary. How can I be sure that he really does the commits?…
Florian Schneider
  • 1,073
  • 2
  • 9
  • 11
2
votes
1 answer

When I sign a git commit, what is my signature actually based on?

I'm curious about what data actually gets signed when I sign a git commit or tag? Is it simply the commit message and metadata? How could I manually duplicate the signature, use gpg instead of git?
flickerfly
  • 133
  • 7
2
votes
2 answers

How can the authenticity of releases on GitHub and GitLab be ensured? Can their hashsums change?

To help ensure authenticity of packages some projects on GitHub and on GitLab add hashsums to the descriptions of the release on the Releases page. Sometimes, at least here, the hashsum are made part of the release's filename. Sometimes, at least…
mYnDstrEAm
  • 319
  • 2
  • 17
2
votes
0 answers

Storing users' private keys to clone git repositories on their behalf

Let's say I have a multi-user application deployed in a customer's data center that needs to clone/update git repositories - both "interactively" when a user is creating a new project (which consists of 1-N git repositories) and "in the background"…
Juraj Martinka
  • 121
  • 4
2
votes
2 answers

Confused about GitHub's GPG key association and authenticity

I'm not sure I understand GPG, and something on GitHub has left me wondering. In git, a GPG private key can then be used to sign commits, which allows someone who is in possession of the public key of the committer to verify the signature. If they…
Hay
  • 121
  • 3
1 2
3
4 5 6 7